BioPassword: Authentication Approach Going from Low-Key to Keystone?

Back in the late 1990s, in a small booth at a trade show, a little authentication technology made a low-key debut. Nearly a decade later, the planets of industry support, government regulation and marketing know-how may be aligning in favor of that technology, keystroke dynamics-based authentication.

The underlying idea behind is that all users have a unique rhythm for typing in their usernames and passwords. Rather than relying on smart cards or thumbprint readers for two-factor authentication, the keystroke approach logs the pattern that a user follows while typing in authentication information. After taking a few keystroke samples, the software creates an acceptable range of typing rhythms for that particular user. At log-on time, if the username/password combo is typed in within the required range, the user gains access. If not, the user is rejected, even if the correct password has been used.

Executives with Net Nanny, a parental control software company, demonstrated the technology as early as the fall 1998 Comdex conference. After acquiring the technology from the Stanford Research Institute, Net Nanny eventually released BioPassword LogOn for Windows NT, but it never became the type of corporate standard software found on every desktop. Net Nanny eventually split the business off from its consumer Web content-filtering company.

Now operating under the same name as the product, Issaquah, Wash.-based BioPassword Inc. has been packing its executive team with industry veterans and aggressively seeking funding and partners over the last 18 months.

In November 2005, the company secured $4 million in funding each from Ignition Partners, a Seattle-based venture-capital firm stocked with ex-Microsoft executives, and OVP Venture Partners, and the company has also secured funding from Citrix Systems. The November deal with Ignition Partners brought former Microsoft CFO John Connors onto BioPassword's board of directors, Connors' first VC board assignment.

On the executive side, the company brought on former Microsoft CSO Greg Woods as chief technology officer and vice president in May 2005. Then, in early February 2006, the company appointed Mark Upson as president and CEO. Upson came from PureEdge Solutions Inc., where, as president, he engineered that company's sale to IBM. He's also done stints at IBM, Onyx Software and Wall Data.

To build a channel, the company launched the BioPassword Premier Partner Program in May 2006. The program, which started with 48 VARs in 18 countries, offers a partner portal, training, incentives, marketing tools and demand-creation programs, and sales and technical support. The company padded its channel program by entering a distribution deal with Tech Data in October.

Upson says the company now has more than 100 resellers in the program and remains on the lookout for more. "We sell through folks who are Microsoft Certified partners and folks who have some security expertise and Active Directory expertise," Upson says. "That intersection between Citrix VARs and Microsoft Certified partners works great for us."

BioPassword executives have high hopes for the timing of a new version of the product, BioPassword Enterprise Edition 3.0, which the company rolled out in late March.

"[Customers and partners are] seeing this rise in the need for second-factor authentication, and they're looking for new solutions. Being able to offer a software-based approach at a lower cost [is a plus]," Upson says. "We can still offer very aggressive margins because we're not seeing the price pressure that the hardware-based approaches are seeing."

Comments on Schneier's blog included many concerns about the effect that everything from a broken finger to too much caffeine might have on the rate of false rejections the biometric software might cause at logon. One new feature of the 3.0 release is the addition of knowledge-based questions that legitimate users can answer to gain access if they're accidentally locked out. At the same time, the company has adjusted the neural networks so that, over time, they adapt to changes in typing rhythm. Other new features of the 3.0 release include support for Outlook Web Access, Windows XP Embedded Thin Clients, multi-factor authentication on Citrix Access Gateway Advanced Edition and additional language capability.

The interest among government agencies and regulators in two-factor authentication will force the authentication industry's growth, Upson predicts. "There's relatively light coverage in the enterprise today with second-factor -- less than 5 percent. There's more compliance [requirements] coming, and identity theft is only going to get bigger. Over time, I think it's going to come very close to 100 percent [coverage in the enterprise]."